undefined | Better HN

0 pointsjackpot514y ago0 comments

Primarily the model is capability based. Most things are managed through file descriptors. Services usually end up in a special namespace where they can no longer open new files at runtime, except from a highly restricted set of filesystems. This essentially disallows operating on anything beyond their current set of open file descriptors. This makes runtime inspection of the capabilities of each process fairly easy, and the build time declaration of those namespaces also pretty easy.

0 comments

1 comments · 1 top-level

vlmutolo4y ago

Wow, that sounds really exciting. How would this work for something like a service that runs for a long time, and periodically needs to make a web request (and therefore periodically opens a TCP socket)?

Are you counting the ability itself to open sockets as a "file descriptor"? Is it straightforward to implement a "namespace" (not sure if I'm using that correctly) that limits network access to certain IP addresses? Certain domains?

j / k navigate · click thread line to collapse